Software signing is a widely used method for ensuring that an electronic device runs only code that it is intended to and that code has been provided by a trusted party. Having control over which software runs on an electronic device is important for several reasons: safety of the device, privacy of the consumer, brand protection, certification of the device, complying with legislation authorities, protecting the software asset of the device, enabling application and service business etc. Losing control over executable software can have serious impacts both to consumers and to device manufacturers.
Public key cryptography (PKI) is a method that can be used for signing software and verifying authenticity of the software. PKI uses a key pair comprising a public key and a private key. The private key is used for signing software and shall only be known to the entity that controls which software will be allowed to be executed in a particular device. This entity may be the device manufacturer, for example. The public key shall be stored on the device and the device is configured to use the public key for performing a cryptographic check to new software before allowing it to be executed in the device.